This is an old post so a known issue. I think folks using ES app or using Splunk as a SIEM and almost any US Govt supplier will need most of that 'extra' info for any IT sec forensic analysis. Most all US Govt suppliers are subject to NIST now and CMMC coming in 2024. I would imagine HIPPA, SOX, GDPR, GLBA, and CCPA companies systems will need that as well. It is noisy but attacks are very often using non-standard ports to transfer information/data to/from an outside host like ICMP, SSH, and RDP as most application level IDS/IPS are looking at 80/443 inspection. For general SMB and Small Enterprise this is probably viable in some respects though. ... View more

Hey Madhan45, Did you resolve this issue ? I am facing the same issue here. I have users with same roles but gives different results on same search head.  Please let me know ... View more

I just confirmed with my colleague that his dashboard is using the google map instead of the internal map of Splunk as the internal map not able to provide enough zoom for the information. Since our Splunk environment is inside the internal network which is not able to access internet but can update our Splunk through proxy. Is it the root cause that PDF not able to get google map information? Is it possible that I can use the proxy to make it work? ... View more

In case of duplicate issues, we need to check the following: Whether the source file contains duplicate events If mistakenly two inputs.conf are configured in splunk or two forwarders The original application may send the same data intentionally to two different channels (eg two files) Behavior where the forwarder is convinced to read a file multiple times, such as an explicit fishbucket reset, or incorrect use of CRCSalt' Monitoring the directory with symlink loops Use of the forwarding ACK system, where network failures are correctly intended to result in small amounts of duplicated data Use of summary indexing to intentionally duplicate events in splunk The original application may have a bug which produces the log duplication The following endpoint lists all files known to the tailing processor along with their status (read, ignored, blacklisted, etc...) Link: https://[splunkd_hostname]:[splunkd_port]/services/admin/inputstatus/tailingprocessor:filestatus If you can not able to rectify the issue in the above scenarios, you can enable the DEBUG level using the following components. TailingProcessor BatchReader WatchedFile FileTracker To check if the events are duplicated, you can use follwoing SPL, | eval md=md5(_raw) | stats count by md | where count > 1 For more information, kindly check, community: Troubleshooting Monitor Inputs Link: https://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs ... View more

At the moment I dont get data about applications or services in splunk yet, Im figuring out how I can get the data in splunk with ossec ... View more

Hi, a short follow up question regarding this topic 🙂 How to only keep the tagged elements? Best regards Heinz ... View more

Any update on if this solved your issue? ... View more

Perhaps this is what you are looking for? index=app sourcetype=EPC*Event* level=ERROR |rex field=requestUrl mode=sed "s/\\d|\d\|%\/|\$amps;\/|\)\/|\(\/|%|\$|\d|\(|\)/@/g"|stats count as Counts by eventId,eventName,level,sourcetype,requestUrl|sort -Counts| where Counts >= 1000 | head 30|rename sourcetype As Sourcetype,eventId As Eventcode,eventName as Description|fields Sourcetype,Eventcode,Counts,Description,requestUrl ... View more

this shows you the actions by user and IP index=_internal sourcetype=splunkd_ui_access | stats count by clientip , user , _time | eval UserIP=user+" - "+clientip | timechart span=1d count by UserIP ... View more

I use Windows OS. For testing I gave Fullcontrol to Everyone, but the Warning still appears. Edit: OK, it was a permission problem, thank you! ... View more

Thank you so much.. it worked.. foreach * [eval <>=round('<>'*100/Total] .. I was struggling with this for such a long time.. ... View more

Thank you, this answer is similar to what I expected. ... View more

First of all it would help if you could give us the Name of the TA. In most TAs is an README File qhere you can find further Instructions. For the credential Setup. Take a look in your "%splunkroot%\etc\apps[TA_NAME]\default" directory. Are there some config files? If yes, take a look at them. (please DONT edit them) If you can find the nessesary parameters, copy the Files you need to edit to "%splunkroot%\etc\apps[TA_NAME]\local" and edit them there. ... View more

Thanks....I was having a huge brain fart. ... View more

You can change the setting in the server.conf [license] report_interval = <nonnegative integer>[s|m|h] * Selects a time period for reporting in license usage to the license master. * This value is intended for very large deployments (hundreds of indexers) where a large number of indexers may overwhelm the license server. * The maximum permitted interval is 1 hour, and the minimum permitted interval is 1 minute. * May be expressed as a positive number of seconds, minutes or hours. * If no time unit is provided, seconds will be assumed. * Defaults to 1 minute, or 1m. ... View more

It sounds like your search is making some assumptions about the fields present, and somehow those assumptions are only true for the one index. in stats .... by host index sourcetype splunk_server permission_type fillnull Obviously host, index, sourcetype and splunk_server will always be defined on all the incoming event rows. However i the extraction for permission_type isn't working right for the data in the other index or if the (very strange looking) "fillnull" field isn't really a field, then any rows with null values for either field will get thrown away. If none of the rows contain any value for permission_type or "fillnull" then you'll get no result rows out of that stats command. I would just look at the field values directly index=sterling | stats count by fillnull or even index=sterling | table fillnull permission_type . If there are null values anywhere, that extraction or that lookup field or what-have-you, will be your culprit. ... View more

I used the wrong wildcard in the match command. The edited answer should work. Or you can use like as in PPape's answer. ... View more

The quotes with the regex will have to be escaped. I prefer to use \d+ to avoid assumptions about the length of a number. ... View more

Yeah, ok, that is what I suspected. Thanks anyway! ... View more

Got it. Thank you so much. ... View more

ok then you can use this data. Why don't you use the "c" attribute of the user? normally there should the country of the user be. and you could use the department attribute for the external users. ... View more

You can do it like this: [yourSourcetype] LINE_BREAKER=(\r\n+)\d{2}-\d{2}-\d{4} If your event starts like 20-06-2016 ..... as twinspop said. LINE_BREAKER is preferred over BREAK:ONLY_BEFORE_DATE ... View more